Financial Compliance

What is SOX?

The law that reshaped corporate accountability after Enron — and the reason your accounting firm gets asked about IT General Controls every single audit.

The Short Version

SOX — the Sarbanes-Oxley Act of 2002 — was Congress's response to the Enron and WorldCom accounting scandals. It forces public companies to prove, every year, that their financial statements are accurate and their internal controls are sound. CEOs and CFOs personally certify those statements, with criminal penalties for knowingly filing false certifications.

For a small or mid-size business, SOX rarely applies directly — but it cascades. If you serve public companies, handle their data, or process transactions for them, you will receive SOX-driven audit requests about your IT controls.

Who This Applies To

  • Publicly traded companies on US exchanges — directly subject to SOX
  • Foreign private issuers listed on US markets
  • Private companies preparing to go public — SOX readiness work starts 18–24 months pre-IPO
  • Accounting firms and auditors — PCAOB registration and rules apply
  • Service providers — any vendor whose systems affect a public company's financial reporting (payroll, billing, ERP hosting, cloud) gets pulled into SOC 1 or ITGC testing
  • Subsidiaries and affiliates of public companies

What SOX Requires From Your IT

The two sections that drive IT work:

  • Section 302: CEO and CFO personally certify the accuracy of quarterly and annual financial reports
  • Section 404: Management and external auditor both attest to the effectiveness of internal controls over financial reporting (ICFR)

Those attestations rest on a foundation of IT General Controls (ITGCs). Auditors test them every cycle:

  • Access management: Unique user IDs, MFA, timely provisioning, and quarterly access reviews
  • Segregation of duties: No one person can both create and approve a financial transaction
  • Change management: Documented approval for every change to financial systems — test, approve, deploy, log
  • Computer operations: Scheduled jobs monitored, backup jobs verified, incident logs maintained
  • Data security: Encryption, patching, vulnerability management
  • Audit logs: Immutable, retained, and reviewable
  • Vendor management: SOC 1 reports on file for every outsourced financial system

What Happens When Controls Fail

  • Material weakness disclosure: Public filing of the control failure — share price typically drops
  • Section 302/404 restatement: Triggers shareholder lawsuits
  • CEO / CFO criminal exposure: Up to 20 years for knowingly false certifications
  • PCAOB sanctions against the auditor
  • Lost contracts: For service providers — a failed SOC 1 can end the client relationship
  • Remediation cost: Material weakness remediation routinely runs into six or seven figures

For smaller service providers, the most common outcome of poor ITGCs is losing enterprise clients — the finding doesn't have to be criminal to cost a contract.

How Digital Armor Helps

We set up the IT side of SOX compliance so auditors get what they need without a scramble every quarter:

  • Access management procedures — provisioning, deprovisioning, quarterly reviews
  • Change management workflow with documented approvals and testing
  • Segregation of duties enforced in roles and system permissions
  • Audit logs configured, retained, and centrally reviewable
  • Backup and restore procedures tested and documented
  • Vendor SOC 1 / SOC 2 tracking
  • Evidence collection automated where possible — screenshots, ticket IDs, approval chains
  • PBC (Prepared By Client) list support during audit season

Have a SOX Audit Coming Up?

Or a SOC 1 because you serve a public company? The controls are similar, the evidence requirements are specific, and the deadlines don't move. We help you go into the audit prepared — not scrambling to reconstruct six months of change approvals.

Book Your Assessment